Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Digital Identity – A digital representation of a principal (or group of principals) that is unique to that principal (or group), and that acts as a reference to that principal (or group). For example, an email address MAY be treated as a digital identity, just as a machine’s unique IP address MAY also be treated as a digital identity, or even a generated unique identifier. In the context of this document, the term identity is often used to refer to a digital identity. A principal may have multiple digital identities,

3.
Federated identity
• Federation – A federation is a collection of realms that have established a
producer-consumer relationship whereby one realm can provide authorized
access to a resource it manages based on an identity, and possibly associated
attributes, that are asserted in another realm*.
 TL;DR: A company can give access to a resource based on an identity asserted by
another company.
• Identity – The identity of an individual is the set of information associated
with that individual in a particular computer system.**
 Can be extended to system entities, such as computers/service accounts.
 The term "principal" is used to refer to system entities/individuals in computer systems.
** S. T. Kent and L. I. Millett, editors, Who Goes There? Authentication Through the
Lens of Privacy, The National Academies Press, 2003
* Web Services Federation Language (WS-Federation), Version 1.1, December 2006

5.
The classic approach
• Partner company maintains a user database for its application
• Each user from our company is assigned an account for partner's application
• Typical login: username/password
• Many partner websites -> many usernames/passwords
• Challenging to maintain these userIDs
 User quits the company, internal account closed. What about accounts in all
partnering companies' applications?
 Challenging to keep track of who has access to what
 No central management of Ids
• Federated identity to the rescue!

7.
The building blocks
• Trust - Trust is the characteristic that one entity is willing to rely upon a
second entity to execute a set of actions and/or to make set of assertions*
about a set of subjects and/or scopes.
• Claims based identity
• Claim – A claim is a declaration made by an entity (e.g. name, identity, key,
group, privilege, capability, etc).
• Means to (securely) communicate identity information between realms
• Security Token – A security token represents a collection (one or more) of
claims.
* Claim and assertion are synonyms

8.
Important roles
• Identity Provider (IP) – An Identity Provider is an entity that acts as an
authentication service to end requestors and a data origin authentication
service to service providers.
• Security Token Service (STS) - A Security Token Service is a Web service
that provides issuance and management of security tokens.
• Relying Party – A Web application or service that consumes Security
Tokens issued by a Security Token Service.

9.
Security token
• Contains claims about the user
 Typical claims: Username, user's name, e-mail address, groups (for authz)
• Signed by STS
 RP can verify that it was issued by a trusted STS
 Tamper-proof
• Lifetime (valid from/to)
• Intended for a particular RP
• Can also be encrypted -> only the intended RP can decrypt it
• Can be on different formats, often SAML

12.
User
My company
(Realm)
Partner company
(Realm)
IP STS Relying party
Authenticate
Relying party
Another partner
company (Realm)

13.
Architectural advantages
• Separates authentication logic from application
• Enables single-sign-on for a suite of applications
 Provides a seamless experience across stand-alone applications
• Yields great flexibility when building e.g. an online bank
 Different services can be provided through separate applications
 Simplifies releases
 Makes it easier for multiple teams to work in parallell
 Opens the possibility to host different applications in separate environments
 E.g. some apps hosted locally, some apps hosted in the cloud
 Simplifies integration of third party applications
 Facilitates privacy-by-design, carefully selecting claims provided to various
applications

16.
A few challenges
• Providing flexibility in common functionality
 Handling change to "shared" menus etc.
• Care must be taken with regards to session management

17.
Building federated identity systems
• We need minimum three things, an IP, an STS, and an RP
• The RP usually contains the features (customer value). Everyone wants this!
• IPs and STSs, you build because you have to (though some of us thinks it's
great fun)
• Want to spend as much time as possible on building the fun stuff – features.
• Authentication as a service?

18.
Windows Identity Foundation
• Framework for building identity-aware applications
• Included in the .NET Framework 4.5
 Available as a separate library before .NET 4.5
• Provides APIs for building Relying Parties and STSs
 Provides a programming model for working with claims based identity
• Provides out-of-the-box functionality for RPs